The middle section of the Triage Alerts page on the Carbon Black EDR console lets you filter by various criteria, including Reports.

By default, the Reports display shows the report ID (for example, dbe2eab5-3829-45df-b6c4-3dfb7a215d69). You can change the display to show the report name (for example, “PowerShell executed with encoded instructions”).

To change the display, you must change a setting in the cb.conf file. The default value of this setting is False. For more information about cb.conf, see the VMware Carbon Black EDR Server Configuration Guide.

Caution: If you enable this setting, additional memory will be used in proportion to the number of reports on your server.

Procedure

  1. On the Carbon Black EDR server, open /etc/cb/cb.conf for editing.
  2. Set FeedHitLoadReportTitles=True.
  3. Set the number of characters (from -1 to 80) for the report name in the FeedHitMaxReportTitleLength field. The default (and maximum) number of characters is 80. A value of -1 keeps the report name from being truncated in bus events, syslog, and email notifications. 
     FeedHitLoadReportTitles=True 
 FeedHitMaxReportTitleLength=80
  4. Restart cb-enterprise services.

Results

After you have changed the cb.conf setting and restarted cb-enterprise services, the report names are populated in the following places:
  • In the Triage Alerts page Records filter.
  • Bus events.
  • Syslog notifications.
  • Email notifications. Both report ID and report name are displayed in the email. If the feature is turned off, the report name is displayed as “Unknown”.